FFe: Sync request-tracker3.8 3.8.10-1 (universe) from Debian unstable (main)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| request-tracker3.8 (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
affects ubuntu/
status new
importance wishlist
subscribe ubuntu-release
done
Please sync request-tracker3.8 3.8.10-1 (universe) from Debian unstable (main)
Explanation of FeatureFreeze exception:
There's one intermediate release from what we have in Natty and the most
recent release, so an FFe is appropriate, but given that it's in Universe and
the most recent update fixes a hefty six CVES, I think we ought to have it in.
It's also made it to Debian Testing, so it's at least not obvoiusly RC buggy
and I tested it builds in Natty. I think the security updates outweigh any
regression risk potential.
Changelog entries since current natty version 3.8.8-7:
request-tracker3.8 (3.8.10-1) unstable; urgency=high
* New upstream release; includes multiple security fixes
(Closes: #622774):
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
* Update Standards-Version (no changes)
-- Dominic Hargreaves <email address hidden> Thu, 14 Apr 2011 18:37:55 +0100
request-tracker3.8 (3.8.9-1) unstable; urgency=low
* New upstream release; includes:
- fastcgi_server now honours "-s" flag (Closes: #597496)
* Remove patches 10_rt_confdir, 40_versioned_
60_
* Remove long-obsoleted patch 09_commandline (Closes: #592794)
* Remove Debian-specific installation of vulnerable-
script now included upstream, and update postinst accordingly
* Update Standards-Version (no changes)
* Include some additional utility manpages from RT 4 to fix missing
manpage Lintian warnings
* Include BSD license text in debian/copyright (thanks, Lintian)
* Remove some .in files mistakenly installed in
/usr/
-- Dominic Hargreaves <email address hidden> Fri, 18 Feb 2011 22:51:42 +0000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAk2
yyMAnjP+
=5/bV
-----END PGP SIGNATURE-----
| Scott Kitterman (kitterman) wrote | #1 |
| Scott Kitterman (kitterman) wrote | #2 |
| Iulian Udrea (iulian) wrote | #3 |
| Changed in request-tracker3.8 (Ubuntu): | |
| status: | New → Confirmed |
| Colin Watson (cjwatson) wrote | #4 |
| Changed in request-tracker3.8 (Ubuntu): | |
| status: | Confirmed → Fix Released |
Debdiff between Ubuntu and Debian attached for the record. It's not particularly reviewable and I don't propose anyone read the whole thing.